|
|
Posted by ctiggerf on 12/30/06 14:43
Anthony Smith wrote:
> I am looking into building a web application and one of the things I
> want to do is to make sure the user is logged in. I know I can do this
> by checking the session for a user object or something similar. Is
> there a best practice for this. Currently what I do is have each page
> include a check session include file.
There are many "best practices" for securing your webaps. And their is
a ton of argument as to which is the best of them all. The solution
you pick is going to depend greatly on whether or not you decide to use
a database of some kind (MySQL, or even a flat flat file db). I use a
database solution for all my sites and follow this sort of algorithm:
function check_login() {
get auth_string from session variable
if auth_string is not null {
validate auth_string, check for SQL injection
SELECT COUNT(*) FROM users_table
WHERE $auth_string = MD5(CONCAT(username, auth_key))
if count == 1 return true
}
get username, password from post variable
validate username and password, check for SQL injection
SELECT COUNT(*) FROM users_table
WHERE username=$username AND password=$password
if count == 1 {
generate a new auth_key
update user record with auth_key
set session variable to MD5(username + auth_key)
return true
}
return false
}
For generating the new auth key, I just use a random string or letters
and numbers, there are a ton of algorithms out there for that, or you
could just use a time string or something.
Now you would do this on every page you wanted under your login:
if check_login() show page
else show login form
That may not be the best solution, you may also want to implement some
form of time out to it as well, but for my purposes it works good. You
can feel free to email me if you have questions about it.
Navigation:
[Reply to this message]
|